Cisco Cisco Firepower Management Center 2000 Entwickleranleitung
B-35
FireSIGHT eStreamer Integration Guide
Appendix B Understanding Legacy Data Structures
Legacy Malware Event Data Structures
String Block Type
uint32
Initiates a String data block containing the file name. This
value is always
value is always
0
.
String Block Length
uint32
The number of bytes included in the File Name String data
block, including eight bytes for the block type and header
fields plus the number of bytes in the File Name field.
block, including eight bytes for the block type and header
fields plus the number of bytes in the File Name field.
File Name
string
The name of the detected or quarantined file.
String Block Type
uint32
Initiates a String data block containing the file path. This
value is always
value is always
0
.
String Block Length
uint32
The number of bytes included in the File Path String data
block, including eight bytes for the block type and header
fields plus the number of bytes in the File Path field.
block, including eight bytes for the block type and header
fields plus the number of bytes in the File Path field.
File Path
string
The file path, not including the file name, of the detected or
quarantined file.
quarantined file.
String Block Type
uint32
Initiates a String data block containing the file SHA hash.
This value is always
This value is always
0
.
String Block Length
uint32
The number of bytes included in the File SHA Hash String
data block, including eight bytes for the block type and
header fields plus the number of bytes in the File SHA Hash
field.
data block, including eight bytes for the block type and
header fields plus the number of bytes in the File SHA Hash
field.
File SHA Hash
string
The SHA-256 hash value of the detected or quarantined file.
File Size
uint32
The size in bytes of the detected or quarantined file.
File Type
uint8
The file type of the detected or quarantined file.
File Timestamp
uint32
The creation timestamp of the detected or quarantined file.
String Block Type
uint32
Initiates a String data block containing the parent file name.
This value is always
This value is always
0
.
String Block Length
uint32
The number of bytes included in the Parent File Name String
data block, including eight bytes for the block type and
header fields plus the number of bytes in the Parent File
Name field.
data block, including eight bytes for the block type and
header fields plus the number of bytes in the Parent File
Name field.
Parent File Name
string
The name of the file accessing the detected or quarantined
file when detection occurred.
file when detection occurred.
String Block Type
uint32
Initiates a String data block containing the parent file SHA
hash. This value is always
hash. This value is always
0
.
String Block Length
uint32
The number of bytes included in the Parent File SHA Hash
String data block, including eight bytes for the block type and
header fields plus the number of bytes in the Parent File SHA
Hash field.
String data block, including eight bytes for the block type and
header fields plus the number of bytes in the Parent File SHA
Hash field.
Parent File SHA Hash string
The SHA-256 hash value of the parent file accessing the
detected or quarantined file when detection occurred.
detected or quarantined file when detection occurred.
String Block Type
uint32
Initiates a String data block containing the event description.
This value is always
This value is always
0
.
Table B-7
Malware Event Data Block Fields (continued)
Field
Data Type
Description